Scripting Vulnerability Crisis: Crawling Out of the Rabbit Hole

 What you do not know will not hurt you – right? Wrong! Scripting vulnerabilities will creep up on you and it can cause a temporary project shutdown, an entire rewrite of a project or worse project cancellation. Long gone are the days of development just to see if it works. Waiting for a security team to catch your malformed code is no longer a luxury of any corporate or government project standard; we must architect and code responsibly with security in mind from day one."What about all those new scripting languages that are considered more powerful, give us greater flexibility with our coding and ease of use?" Nope; you as a developer have a responsibility to secure ‘data at rest’ and ‘date in transit’. The minute you use a <script> tag for data you have opened a Pandora’s box of security vulnerabilities."What about JSON; everyone uses JSON?" While the data is available for XSS escape and evade tactics, why run the risk of high-performance coding when securing the data on the server is best."My project is inside a firewall and therefore we can code our internal application however we want to." I can also wrap myself in warm fuzzy blankets but eventually, in a rain storm, I will still get wet. The reality is that no firewall is ultimately a 100% guarantee of security and as developers coding for internal or external applications we must still maintain a responsibility for ‘data at rest’ and ‘data in transit’."I am also on a (https) secure socket layer with a signed security certificate and therefore I can code my project, however I want to." ‘Man in the Middle’ attacks are one of the simplest exploits that any low-level hacker is quite adept at. Being in the middle of loan applications for major banks, e-commerce transactions for some of the largest companies online and even the endless forms required for any governing entity is often worth a lot of money and spies like us efforts.Currently, a large majority of online commerce is being performed with serious scripting vulnerabilities on the front end of these sites. These vulnerabilities lead to security holes and efforts from the outside to continue to exploit these weaknesses often going undetected for years. We need immediate intervention by a Government Agency to flag, regulate and if needed to fine these sites. The capability exists to control loan applications, credit card applications, e-commerce transactions and to exploit thousands of customers PII and thousands of customer’s credit card information."I found these security vulnerabilities on my corporation’s websites and applications. I documented it, contacted my security team and created a formal report and my job was terminated regardless." Again; we need a Government Agency to flag, regulate and if needed to fine the sites and the corporations that own them. We need new laws to govern these actions and to protect developers caught in the middle of big corporate greed."I was required after I was hired to build the frontend for applications and websites using methods that were inherently insecure. I proposed a plan to my management team to securely code the projects, I created a formal report and I also notified my security team. My job was still terminated." Again, we need new laws to govern these actions and to protect developers caught in the middle of layers of management that are often out-of-control.In the world today, the security minded and focused developer does not always get to be a super hero. You're often portrayed to a team as the odd man out, someone rocking the boat or a threat to the project. The reality that hacking is big business and the access and control that goes with it is highly regarded in criminal organizations that monetize an exploit. I have seen as many as half the vehicles on a Team vandalized or involved in accidents all in the same month and Development Team’s exposed to viruses and other respiratory ailments for months at a time. This list could go on and on but the only reason it goes on is because of a lack of laws and regulation to force these corporations to close all frontend security vulnerabilities. Therefore; getting your hacker onto our team so that he can continue to code holes is not a criminal enterprise worthy of a Hollywood budget and stunt team.Alice